+
+def check_tls_ver(dev, hapd, phase1, expected):
+ eap_connect(dev, hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key",
+ phase1=phase1)
+ ver = dev.get_status_field("eap_tls_version")
+ if ver != expected:
+ raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
+
+def test_ap_wpa2_eap_tls_versions(dev, apdev):
+ """EAP-TLS and TLS version configuration"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ tls = dev[0].request("GET tls_library")
+ if tls.startswith("OpenSSL"):
+ if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
+ check_tls_ver(dev[0], hapd,
+ "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
+ "TLSv1.2")
+ elif tls.startswith("internal"):
+ check_tls_ver(dev[0], hapd,
+ "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
+ check_tls_ver(dev[1], hapd,
+ "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
+ check_tls_ver(dev[2], hapd,
+ "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
+
+def test_rsn_ie_proto_eap_sta(dev, apdev):
+ """RSN element protocol testing for EAP cases on STA side"""
+ bssid = apdev[0]['bssid']
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ # This is the RSN element used normally by hostapd
+ params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
+ hapd = hostapd.add_ap(apdev[0], params)
+ id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
+ identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ scan_freq="2412")
+
+ tests = [ ('No RSN Capabilities field',
+ '30120100000fac040100000fac040100000fac01'),
+ ('No AKM Suite fields',
+ '300c0100000fac040100000fac04'),
+ ('No Pairwise Cipher Suite fields',
+ '30060100000fac04'),
+ ('No Group Data Cipher Suite field',
+ '30020100') ]
+ for txt,ie in tests:
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected()
+ logger.info(txt)
+ hapd.disable()
+ hapd.set('own_ie_override', ie)
+ hapd.enable()
+ dev[0].request("BSS_FLUSH 0")
+ dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
+ dev[0].select_network(id, freq=2412)
+ dev[0].wait_connected()
+
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected()
+ dev[0].flush_scan_cache()
+
+def check_tls_session_resumption_capa(dev, hapd):
+ tls = hapd.request("GET tls_library")
+ if not tls.startswith("OpenSSL"):
+ raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
+
+ tls = dev.request("GET tls_library")
+ if not tls.startswith("OpenSSL"):
+ raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
+
+def test_eap_ttls_pap_session_resumption(dev, apdev):
+ """EAP-TTLS/PAP session resumption"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "TTLS", "pap user",
+ anonymous_identity="ttls", password="password",
+ ca_cert="auth_serv/ca.pem", eap_workaround='0',
+ phase2="auth=PAP")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_ttls_chap_session_resumption(dev, apdev):
+ """EAP-TTLS/CHAP session resumption"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "TTLS", "chap user",
+ anonymous_identity="ttls", password="password",
+ ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_ttls_mschap_session_resumption(dev, apdev):
+ """EAP-TTLS/MSCHAP session resumption"""
+ check_domain_suffix_match(dev[0])
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "TTLS", "mschap user",
+ anonymous_identity="ttls", password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+ domain_suffix_match="server.w1.fi")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
+ """EAP-TTLS/MSCHAPv2 session resumption"""
+ check_domain_suffix_match(dev[0])
+ check_eap_capa(dev[0], "MSCHAPV2")
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
+ anonymous_identity="ttls", password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
+ domain_suffix_match="server.w1.fi")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
+ """EAP-TTLS/EAP-GTC session resumption"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "TTLS", "user",
+ anonymous_identity="ttls", password="password",
+ ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_ttls_no_session_resumption(dev, apdev):
+ """EAP-TTLS session resumption disabled on server"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '0'
+ hapd = hostapd.add_ap(apdev[0], params)
+ eap_connect(dev[0], hapd, "TTLS", "pap user",
+ anonymous_identity="ttls", password="password",
+ ca_cert="auth_serv/ca.pem", eap_workaround='0',
+ phase2="auth=PAP")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the second connection")
+
+def test_eap_peap_session_resumption(dev, apdev):
+ """EAP-PEAP session resumption"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "PEAP", "user",
+ anonymous_identity="peap", password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
+ """EAP-PEAP session resumption with crypto binding"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "PEAP", "user",
+ anonymous_identity="peap", password="password",
+ phase1="peapver=0 crypto_binding=2",
+ ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_peap_no_session_resumption(dev, apdev):
+ """EAP-PEAP session resumption disabled on server"""
+ params = int_eap_server_params()
+ hapd = hostapd.add_ap(apdev[0], params)
+ eap_connect(dev[0], hapd, "PEAP", "user",
+ anonymous_identity="peap", password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the second connection")
+
+def test_eap_tls_session_resumption(dev, apdev):
+ """EAP-TLS session resumption"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '60'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the third connection")
+
+def test_eap_tls_session_resumption_expiration(dev, apdev):
+ """EAP-TLS session resumption"""
+ params = int_eap_server_params()
+ params['tls_session_lifetime'] = '1'
+ hapd = hostapd.add_ap(apdev[0], params)
+ check_tls_session_resumption_capa(dev[0], hapd)
+ eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ # Allow multiple attempts since OpenSSL may not expire the cached entry
+ # immediately.
+ for i in range(10):
+ time.sleep(1.2)
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") == '0':
+ break
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Session resumption used after lifetime expiration")
+
+def test_eap_tls_no_session_resumption(dev, apdev):
+ """EAP-TLS session resumption disabled on server"""
+ params = int_eap_server_params()
+ hapd = hostapd.add_ap(apdev[0], params)
+ eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the second connection")
+
+def test_eap_tls_session_resumption_radius(dev, apdev):
+ """EAP-TLS session resumption (RADIUS)"""
+ params = { "ssid": "as", "beacon_int": "2000",
+ "radius_server_clients": "auth_serv/radius_clients.conf",
+ "radius_server_auth_port": '18128',
+ "eap_server": "1",
+ "eap_user_file": "auth_serv/eap_user.conf",
+ "ca_cert": "auth_serv/ca.pem",
+ "server_cert": "auth_serv/server.pem",
+ "private_key": "auth_serv/server.key",
+ "tls_session_lifetime": "60" }
+ authsrv = hostapd.add_ap(apdev[1], params)
+ check_tls_session_resumption_capa(dev[0], authsrv)
+
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ params['auth_server_port'] = "18128"
+ hapd = hostapd.add_ap(apdev[0], params)
+ eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '1':
+ raise Exception("Session resumption not used on the second connection")
+
+def test_eap_tls_no_session_resumption_radius(dev, apdev):
+ """EAP-TLS session resumption disabled (RADIUS)"""
+ params = { "ssid": "as", "beacon_int": "2000",
+ "radius_server_clients": "auth_serv/radius_clients.conf",
+ "radius_server_auth_port": '18128',
+ "eap_server": "1",
+ "eap_user_file": "auth_serv/eap_user.conf",
+ "ca_cert": "auth_serv/ca.pem",
+ "server_cert": "auth_serv/server.pem",
+ "private_key": "auth_serv/server.key",
+ "tls_session_lifetime": "0" }
+ hostapd.add_ap(apdev[1], params)
+
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ params['auth_server_port'] = "18128"
+ hapd = hostapd.add_ap(apdev[0], params)
+ eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the first connection")
+
+ dev[0].request("REAUTHENTICATE")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
+ if ev is None:
+ raise Exception("Key handshake with the AP timed out")
+ if dev[0].get_status_field("tls_session_reused") != '0':
+ raise Exception("Unexpected session resumption on the second connection")
+
+def test_eap_mschapv2_errors(dev, apdev):
+ """EAP-MSCHAPv2 error cases"""
+ check_eap_capa(dev[0], "MSCHAPV2")
+ check_eap_capa(dev[0], "FAST")
+
+ params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
+ hapd = hostapd.add_ap(apdev[0], params)
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
+ identity="phase1-user", password="password",
+ scan_freq="2412")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
+ (1, "nt_password_hash;mschapv2_derive_response"),
+ (1, "nt_password_hash;=mschapv2_derive_response"),
+ (1, "generate_nt_response;mschapv2_derive_response"),
+ (1, "generate_authenticator_response;mschapv2_derive_response"),
+ (1, "nt_password_hash;=mschapv2_derive_response"),
+ (1, "get_master_key;mschapv2_derive_response"),
+ (1, "os_get_random;eap_mschapv2_challenge_reply") ]
+ for count, func in tests:
+ with fail_test(dev[0], count, func):
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
+ identity="phase1-user", password="password",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
+ (1, "hash_nt_password_hash;=mschapv2_derive_response"),
+ (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
+ (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
+ for count, func in tests:
+ with fail_test(dev[0], count, func):
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
+ identity="phase1-user",
+ password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ (1, "eap_mschapv2_init"),
+ (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
+ (1, "eap_msg_alloc;eap_mschapv2_success"),
+ (1, "eap_mschapv2_getKey") ]
+ for count, func in tests:
+ with alloc_fail(dev[0], count, func):
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
+ identity="phase1-user", password="password",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
+ for count, func in tests:
+ with alloc_fail(dev[0], count, func):
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
+ identity="phase1-user", password="wrong password",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ (2, "eap_mschapv2_init"),
+ (3, "eap_mschapv2_init") ]
+ for count, func in tests:
+ with alloc_fail(dev[0], count, func):
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
+ anonymous_identity="FAST", identity="user",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
+ phase1="fast_provisioning=1",
+ pac_file="blob://fast_pac",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+def test_eap_gpsk_errors(dev, apdev):
+ """EAP-GPSK error cases"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
+ hapd = hostapd.add_ap(apdev[0], params)
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
+ identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ scan_freq="2412")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
+ (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
+ "cipher=1"),
+ (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
+ "cipher=2"),
+ (1, "eap_gpsk_derive_keys_helper", None),
+ (2, "eap_gpsk_derive_keys_helper", None),
+ (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
+ "cipher=1"),
+ (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
+ "cipher=2"),
+ (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
+ (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
+ (1, "eap_gpsk_derive_mid_helper", None) ]
+ for count, func, phase1 in tests:
+ with fail_test(dev[0], count, func):
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
+ identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ phase1=phase1,
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ (1, "eap_gpsk_init"),
+ (2, "eap_gpsk_init"),
+ (3, "eap_gpsk_init"),
+ (1, "eap_gpsk_process_id_server"),
+ (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
+ (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
+ (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
+ (1, "eap_gpsk_derive_keys"),
+ (1, "eap_gpsk_derive_keys_helper"),
+ (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
+ (1, "eap_gpsk_getKey"),
+ (1, "eap_gpsk_get_emsk"),
+ (1, "eap_gpsk_get_session_id") ]
+ for count, func in tests:
+ with alloc_fail(dev[0], count, func):
+ dev[0].request("ERP_FLUSH")
+ dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
+ identity="gpsk user", erp="1",
+ password="abcdefghijklmnop0123456789abcdef",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+def test_ap_wpa2_eap_sim_db(dev, apdev, params):
+ """EAP-SIM DB error cases"""
+ sockpath = '/tmp/hlr_auc_gw.sock-test'
+ try:
+ os.remove(sockpath)
+ except:
+ pass
+ hparams = int_eap_server_params()
+ hparams['eap_sim_db'] = 'unix:' + sockpath
+ hapd = hostapd.add_ap(apdev[0], hparams)
+
+ # Initial test with hlr_auc_gw socket not available
+ id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
+ eap="SIM", identity="1232010000000000",
+ password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
+ scan_freq="2412", wait_connect=False)
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
+ if ev is None:
+ raise Exception("EAP-Failure not reported")
+ dev[0].wait_disconnected()
+ dev[0].request("DISCONNECT")
+
+ # Test with invalid responses and response timeout
+
+ class test_handler(SocketServer.DatagramRequestHandler):
+ def handle(self):
+ data = self.request[0].strip()
+ socket = self.request[1]
+ logger.debug("Received hlr_auc_gw request: " + data)
+ # EAP-SIM DB: Failed to parse response string
+ socket.sendto("FOO", self.client_address)
+ # EAP-SIM DB: Failed to parse response string
+ socket.sendto("FOO 1", self.client_address)
+ # EAP-SIM DB: Unknown external response
+ socket.sendto("FOO 1 2", self.client_address)
+ logger.info("No proper response - wait for pending eap_sim_db request timeout")
+
+ server = SocketServer.UnixDatagramServer(sockpath, test_handler)
+ server.timeout = 1
+
+ dev[0].select_network(id)
+ server.handle_request()
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
+ if ev is None:
+ raise Exception("EAP-Failure not reported")
+ dev[0].wait_disconnected()
+ dev[0].request("DISCONNECT")
+
+ # Test with a valid response
+
+ class test_handler2(SocketServer.DatagramRequestHandler):
+ def handle(self):
+ data = self.request[0].strip()
+ socket = self.request[1]
+ logger.debug("Received hlr_auc_gw request: " + data)
+ fname = os.path.join(params['logdir'],
+ 'hlr_auc_gw.milenage_db')
+ cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
+ '-m', fname, data],
+ stdout=subprocess.PIPE)
+ res = cmd.stdout.read().strip()
+ cmd.stdout.close()
+ logger.debug("hlr_auc_gw response: " + res)
+ socket.sendto(res, self.client_address)
+
+ server.RequestHandlerClass = test_handler2
+
+ dev[0].select_network(id)
+ server.handle_request()
+ dev[0].wait_connected()
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected()
+
+def test_eap_tls_sha512(dev, apdev, params):
+ """EAP-TLS with SHA512 signature"""
+ params = int_eap_server_params()
+ params["ca_cert"] = "auth_serv/sha512-ca.pem"
+ params["server_cert"] = "auth_serv/sha512-server.pem"
+ params["private_key"] = "auth_serv/sha512-server.key"
+ hostapd.add_ap(apdev[0], params)
+
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user sha512",
+ ca_cert="auth_serv/sha512-ca.pem",
+ client_cert="auth_serv/sha512-user.pem",
+ private_key="auth_serv/sha512-user.key",
+ scan_freq="2412")
+ dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user sha512",
+ ca_cert="auth_serv/sha512-ca.pem",
+ client_cert="auth_serv/sha384-user.pem",
+ private_key="auth_serv/sha384-user.key",
+ scan_freq="2412")
+
+def test_eap_tls_sha384(dev, apdev, params):
+ """EAP-TLS with SHA384 signature"""
+ params = int_eap_server_params()
+ params["ca_cert"] = "auth_serv/sha512-ca.pem"
+ params["server_cert"] = "auth_serv/sha384-server.pem"
+ params["private_key"] = "auth_serv/sha384-server.key"
+ hostapd.add_ap(apdev[0], params)
+
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user sha512",
+ ca_cert="auth_serv/sha512-ca.pem",
+ client_cert="auth_serv/sha512-user.pem",
+ private_key="auth_serv/sha512-user.key",
+ scan_freq="2412")
+ dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user sha512",
+ ca_cert="auth_serv/sha512-ca.pem",
+ client_cert="auth_serv/sha384-user.pem",
+ private_key="auth_serv/sha384-user.key",
+ scan_freq="2412")
+
+def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
+ """WPA2-Enterprise AP and association request RSN IE differences"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ hostapd.add_ap(apdev[0], params)
+
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
+ params["ieee80211w"] = "2"
+ hostapd.add_ap(apdev[1], params)
+
+ # Success cases with optional RSN IE fields removed one by one
+ tests = [ ("Normal wpa_supplicant assoc req RSN IE",
+ "30140100000fac040100000fac040100000fac010000"),
+ ("Extra PMKIDCount field in RSN IE",
+ "30160100000fac040100000fac040100000fac0100000000"),
+ ("Extra Group Management Cipher Suite in RSN IE",
+ "301a0100000fac040100000fac040100000fac0100000000000fac06"),
+ ("Extra undefined extension field in RSN IE",
+ "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
+ ("RSN IE without RSN Capabilities",
+ "30120100000fac040100000fac040100000fac01"),
+ ("RSN IE without AKM", "300c0100000fac040100000fac04"),
+ ("RSN IE without pairwise", "30060100000fac04"),
+ ("RSN IE without group", "30020100") ]
+ for title, ie in tests:
+ logger.info(title)
+ set_test_assoc_ie(dev[0], ie)
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
+ identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ scan_freq="2412")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ ("Normal wpa_supplicant assoc req RSN IE",
+ "30140100000fac040100000fac040100000fac01cc00"),
+ ("Group management cipher included in assoc req RSN IE",
+ "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
+ for title, ie in tests:
+ logger.info(title)
+ set_test_assoc_ie(dev[0], ie)
+ dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
+ eap="GPSK", identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ scan_freq="2412")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ ("Invalid group cipher", "30060100000fac02", 41),
+ ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
+ for title, ie, status in tests:
+ logger.info(title)
+ set_test_assoc_ie(dev[0], ie)
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
+ identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ scan_freq="2412", wait_connect=False)
+ ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
+ if ev is None:
+ raise Exception("Association rejection not reported")
+ if "status_code=" + str(status) not in ev:
+ raise Exception("Unexpected status code: " + ev)
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].dump_monitor()
+
+ tests = [ ("Management frame protection not enabled",
+ "30140100000fac040100000fac040100000fac010000", 31),
+ ("Unsupported management group cipher",
+ "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
+ for title, ie, status in tests:
+ logger.info(title)
+ set_test_assoc_ie(dev[0], ie)
+ dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
+ eap="GPSK", identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ scan_freq="2412", wait_connect=False)
+ ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
+ if ev is None:
+ raise Exception("Association rejection not reported")
+ if "status_code=" + str(status) not in ev:
+ raise Exception("Unexpected status code: " + ev)
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].dump_monitor()
+
+def test_eap_tls_ext_cert_check(dev, apdev):
+ """EAP-TLS and external server certification validation"""
+ # With internal server certificate chain validation
+ id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user",
+ ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key",
+ phase1="tls_ext_cert_check=1", scan_freq="2412",
+ only_add_network=True)
+ run_ext_cert_check(dev, apdev, id)
+
+def test_eap_ttls_ext_cert_check(dev, apdev):
+ """EAP-TTLS and external server certification validation"""
+ # Without internal server certificate chain validation
+ id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="pap user", anonymous_identity="ttls",
+ password="password", phase2="auth=PAP",
+ phase1="tls_ext_cert_check=1", scan_freq="2412",
+ only_add_network=True)
+ run_ext_cert_check(dev, apdev, id)
+
+def test_eap_peap_ext_cert_check(dev, apdev):
+ """EAP-PEAP and external server certification validation"""
+ # With internal server certificate chain validation
+ id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
+ identity="user", anonymous_identity="peap",
+ ca_cert="auth_serv/ca.pem",
+ password="password", phase2="auth=MSCHAPV2",
+ phase1="tls_ext_cert_check=1", scan_freq="2412",
+ only_add_network=True)
+ run_ext_cert_check(dev, apdev, id)
+
+def test_eap_fast_ext_cert_check(dev, apdev):
+ """EAP-FAST and external server certification validation"""
+ check_eap_capa(dev[0], "FAST")
+ # With internal server certificate chain validation
+ dev[0].request("SET blob fast_pac_auth_ext ")
+ id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
+ identity="user", anonymous_identity="FAST",
+ ca_cert="auth_serv/ca.pem",
+ password="password", phase2="auth=GTC",
+ phase1="tls_ext_cert_check=1 fast_provisioning=2",
+ pac_file="blob://fast_pac_auth_ext",
+ scan_freq="2412",
+ only_add_network=True)
+ run_ext_cert_check(dev, apdev, id)
+
+def run_ext_cert_check(dev, apdev, net_id):
+ check_ext_cert_check_support(dev[0])
+ if not openssl_imported:
+ raise HwsimSkip("OpenSSL python method not available")
+
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ dev[0].select_network(net_id)
+ certs = {}
+ while True:
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
+ "CTRL-REQ-EXT_CERT_CHECK",
+ "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
+ if ev is None:
+ raise Exception("No peer server certificate event seen")
+ if "CTRL-EVENT-EAP-PEER-CERT" in ev:
+ depth = None
+ cert = None
+ vals = ev.split(' ')
+ for v in vals:
+ if v.startswith("depth="):
+ depth = int(v.split('=')[1])
+ elif v.startswith("cert="):
+ cert = v.split('=')[1]
+ if depth is not None and cert:
+ certs[depth] = binascii.unhexlify(cert)
+ elif "CTRL-EVENT-EAP-SUCCESS" in ev:
+ raise Exception("Unexpected EAP-Success")
+ elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
+ id = ev.split(':')[0].split('-')[-1]
+ break
+ if 0 not in certs:
+ raise Exception("Server certificate not received")
+ if 1 not in certs:
+ raise Exception("Server certificate issuer not received")
+
+ cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
+ certs[0])
+ cn = cert.get_subject().commonName
+ logger.info("Server certificate CN=" + cn)
+
+ issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
+ certs[1])
+ icn = issuer.get_subject().commonName
+ logger.info("Issuer certificate CN=" + icn)
+
+ if cn != "server.w1.fi":
+ raise Exception("Unexpected server certificate CN: " + cn)
+ if icn != "Root CA":
+ raise Exception("Unexpected server certificate issuer CN: " + icn)
+
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
+ if ev:
+ raise Exception("Unexpected EAP-Success before external check result indication")
+
+ dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
+ dev[0].wait_connected()
+
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected()
+ if "FAIL" in dev[0].request("PMKSA_FLUSH"):
+ raise Exception("PMKSA_FLUSH failed")
+ dev[0].request("SET blob fast_pac_auth_ext ")
+ dev[0].request("RECONNECT")
+
+ ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
+ if ev is None:
+ raise Exception("No peer server certificate event seen (2)")
+ id = ev.split(':')[0].split('-')[-1]
+ dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
+ if ev is None:
+ raise Exception("EAP-Failure not reported")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+def test_eap_tls_errors(dev, apdev):
+ """EAP-TLS error cases"""
+ params = int_eap_server_params()
+ params['fragment_size'] = '100'
+ hostapd.add_ap(apdev[0], params)
+ with alloc_fail(dev[0], 1,
+ "eap_peer_tls_reassemble_fragment"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ with alloc_fail(dev[0], 1, "eap_tls_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key",
+ engine="1",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
+ if ev is None:
+ raise Exception("No CTRL-REQ-PIN seen")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ tests = [ "eap_peer_tls_derive_key;eap_tls_success",
+ "eap_peer_tls_derive_session_id;eap_tls_success",
+ "eap_tls_getKey",
+ "eap_tls_get_emsk",
+ "eap_tls_get_session_id" ]
+ for func in tests:
+ with alloc_fail(dev[0], 1, func):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+ identity="tls user", ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key",
+ erp="1",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
+ identity="unauth-tls", ca_cert="auth_serv/ca.pem",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
+ identity="unauth-tls", ca_cert="auth_serv/ca.pem",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+ eap="WFA-UNAUTH-TLS",
+ identity="osen@example.com", ca_cert="auth_serv/ca.pem",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+ eap="WFA-UNAUTH-TLS",
+ identity="osen@example.com", ca_cert="auth_serv/ca.pem",
+ wait_connect=False, scan_freq="2412")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+def test_ap_wpa2_eap_status(dev, apdev):
+ """EAP state machine status information"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ hostapd.add_ap(apdev[0], params)
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
+ identity="cert user",
+ ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
+ ca_cert2="auth_serv/ca.pem",
+ client_cert2="auth_serv/user.pem",
+ private_key2="auth_serv/user.key",
+ scan_freq="2412", wait_connect=False)
+ success = False
+ states = []
+ method_states = []
+ decisions = []
+ req_methods = []
+ selected_methods = []
+ for i in range(100000):
+ s = dev[0].get_status(extra="VERBOSE")
+ if 'EAP state' in s:
+ state = s['EAP state']
+ if state:
+ if state not in states:
+ states.append(state)
+ if state == "SUCCESS":
+ success = True
+ break
+ if 'methodState' in s:
+ val = s['methodState']
+ if val not in method_states:
+ method_states.append(val)
+ if 'decision' in s:
+ val = s['decision']
+ if val not in decisions:
+ decisions.append(val)
+ if 'reqMethod' in s:
+ val = s['reqMethod']
+ if val not in req_methods:
+ req_methods.append(val)
+ if 'selectedMethod' in s:
+ val = s['selectedMethod']
+ if val not in selected_methods:
+ selected_methods.append(val)
+ logger.info("Iterations: %d" % i)
+ logger.info("EAP states: " + str(states))
+ logger.info("methodStates: " + str(method_states))
+ logger.info("decisions: " + str(decisions))
+ logger.info("reqMethods: " + str(req_methods))
+ logger.info("selectedMethods: " + str(selected_methods))
+ if not success:
+ raise Exception("EAP did not succeed")
+ dev[0].wait_connected()
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
+ """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ params['wpa_ptk_rekey'] = '2'
+ hapd = hostapd.add_ap(apdev[0], params)
+ id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
+ password="abcdefghijklmnop0123456789abcdef")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+ if ev is None:
+ raise Exception("PTK rekey timed out")
+ hwsim_utils.test_connectivity(dev[0], hapd)
+
+def test_ap_wpa2_eap_wildcard_ssid(dev, apdev):
+ """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ hapd = hostapd.add_ap(apdev[0], params)
+ dev[0].connect(bssid=apdev[0]['bssid'], key_mgmt="WPA-EAP", eap="GPSK",
+ identity="gpsk user",
+ password="abcdefghijklmnop0123456789abcdef",
+ scan_freq="2412")